Regular expression denial of service in AngularJS



Published: 2023-08-10 | Updated: 2023-10-09
Risk Medium
Patch available NO
Number of vulnerabilities 3
CVE-ID CVE-2023-26117
CVE-2023-26116
CVE-2023-26118
CWE-ID CWE-1333
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		AngularJS
Web applications / JS libraries

Vendor Google

Security Bulletin

This security bulletin contains information about 3 vulnerabilities.

1) Inefficient regular expression complexity

EUVDB-ID: #VU79318

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2023-26117

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing untrusted input passed via the $resource service. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

AngularJS: 1.0.0 - 1.8.3

Fixed software versions

CPE2.3 External links

http://stackblitz.com/edit/angularjs-vulnerability-resource-trailing-slashes-redos
http://security.snyk.io/vuln/SNYK-JS-ANGULAR-3373045
http://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBANGULAR-5406325
http://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-5406323
http://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-5406324


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

2) Inefficient regular expression complexity

EUVDB-ID: #VU81703

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2023-26116

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing untrusted input with a regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

AngularJS: 1.2.21 - 1.8.3

Fixed software versions

CPE2.3 External links

http://stackblitz.com/edit/angularjs-vulnerability-angular-copy-redos
http://security.snyk.io/vuln/SNYK-JS-ANGULAR-3373044
http://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-5406320
http://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBANGULAR-5406322
http://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-5406321


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

3) Inefficient regular expression complexity

EUVDB-ID: #VU81699

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2023-26118

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing untrusted input with a regular expressions in the input[url] functionality. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

AngularJS: 1.4.9 - 1.8.3

Fixed software versions

CPE2.3 External links

http://stackblitz.com/edit/angularjs-vulnerability-inpur-url-validation-redos
http://security.snyk.io/vuln/SNYK-JS-ANGULAR-3373046
http://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBANGULAR-5406328
http://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-5406327
http://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-5406326


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###